Hacker Intelligence Reports

Hacker Intelligence Initiative (HII)

Issued approximately six times a year, the Imperva Hacker Intelligence Initiative (HII) reports go inside the cyber-underground to provide in-depth, forward-looking analysis at trending hacking techniques and interesting attack campaigns. These provocative, creative and innovative research papers aim not to solely understand what has happened in the past, but to deep dive into what is ahead and what’s needed to proactively stay ahead of hackers’ next moves.

Beyond Takeover - Stories from a Hacked Account

In this report, Imperva researchers explore the dynamics of credential theft. The team reversed a phishing hook to hack and track phishers using the same methods that phishers use on their victims. The report explores questions such as how long it takes from takeover to exploitation, what the attacker looks for in the hacked account, which decoys attract their attention, and what security practices they use to cover their tracks. Read the report to learn about real-world takeover stories and best practices for breach detection and remediation to protect your data.

Today’s File Security is So ’80s

The complexity of managing enterprise-level file permissions makes it increasingly difficult for security teams to keep track of who has access to what. In this report, Imperva researchers compare the traditional ‘static’ approach to file security with a more dynamic approach based on how users actually access files in the organization. Using the Dynamic Peer Group Analysis machine learning algorithm, virtual working peer groups are automatically identified and suspicious files access by unauthorized users can be immediately detected.

Phishing made easy: Time to rethink your prevention strategy?

In this report, Imperva researchers expose how cybercriminals are lowering the cost and increasing the effectiveness of phishing by leveraging compromised servers and turnkey phishing services, which are the key drivers of the overall increase in phishing attacks.

HTTP/2: In-depth Analysis of the Top Four Flaws of the Next Generation Web Protocol

This report analyzes the four high-profile vulnerabilities which the Imperva Defense Center team uncovered in the latest implementation of the Worldwide Web’s underlying protocol. Read this report to find out more about the exploitable vulnerabilities which the team discovered in nearly all of the new HTTP/2 components.

Black Hat SEO: A Detailed Analysis of Illegal SEO Tactics

Researchers at the Imperva Defense Center have discovered a series of long-running, multi-vector search engine optimization (SEO) campaigns that exploit vulnerabilities in thousands of legitimate websites to illegally increase the SEO results for malicious websites. Read this report to find out how hackers use these botnet-driven SEO attacks to promote malicious websites.

Insiders: The Threat Is Already Within

While most enterprises are buffing up their security layers—which is important—most of the focus to date has been on threats that come from outside, while threats from within are being neglected. Read this report to find out more about this widespread security concern.

The Secret Behind CryptoWall’s Success

Our Imperva Defense Center team peeled back the layers in the financial transactions to see how far we could trace the money trail behind one of the most successful Ransomware—CryptoWall 3.0—with information available in the open. Are there many criminals behind this ruthless ransomware or just a handful of very organized gangs? Read the report to find the surprising answer.

Phishing Trip to Brazil

This report offers a detailed look at a cyber attack targeting consumers, a banking Trojan, and shows how consumer-centric cyber crimes can compromise the enterprise. The report also demonstrates that despite potential anti-malware defenses, attacks that direct individual employees can easily enter the enterprise network.

Man in the Cloud (MITC) Attacks

In this report, we demonstrate a new type of attack we call “Man in the Cloud” (MITC). These MITC attacks rely on common file synchronization services (such as GoogleDrive and Dropbox) as their infrastructure for command and control (C&C), data exfiltration, and remote access. Without using any exploits, we show how simple re-configuration of these services can turn them into a devastating attack tool that is not easily detected by common security measures.

Since most organizations either allow their users to use file synchronization services, or even rely on these services as part of their business toolbox, we think that MITC attacks will become prevalent in the wild. As a result, we encourage enterprises to shift the focus of their security effort from preventing infections and endpoint protection to securing their business data and applications at the source.

Attacking SSL when using RC4: Breaking SSL with a 13-year-old RC4 Weakness

RC4 is the most popular stream cipher in the world. It is used to protect as many as 30 percent of SSL traffic today, probably summing up to billions of TLS connections every day.

In this paper, we revisit the Invariance Weakness—a 13-year-old vulnerability of RC4 that is based on huge classes of RC4 weak keys, which was first published in the FMS paper in 2001. We show how this vulnerability can be used to mount several partial plaintext recovery attacks on SSL-protected data when RC4 is the cipher of choice, recovering part of secrets such as session cookies, passwords, and credit card numbers. This paper will describe the Invariance Weakness in detail, explain its impacts, and recommend some mitigating actions.

Anatomy of Comment Spam

Comment spammers are most often motivated by search engine optimization, so that they can use a promoted site for advertisement and malware distribution. Attackers are also known to use comment spam for the purpose of click fraud. The comment spam issue has become so prevalent that organizations are fighting back, by implementing mitigation services. Interestingly, there have been incidents of spammers fighting anti-spammers in an attempt to shut down those mitigation services, and many of those counter attacks have been successful.

In our research, we examined the attacker’s point of view, including the comment spam techniques and tools. In addition, we examined the victim’s point of view to understand how organizations deal with comment spam today.

The Non-Advanced Persistent Threat

In this report, we focus on the phases of escalating privileges and collecting information. We expose some powerful, yet extremely simple techniques that allow attackers to efficiently expand their reach within an infected organization. We show how attackers achieve their goals without resorting to zero-day vulnerabilities and sophisticated exploits, and how organizations can protect themselves against the outcomes of such attacks.

Assessing the Threat Landscape of DBaaS

This report does an in-depth analysis of malware that used a shared hosting database for its Command and Control and drop server, Imperva analyzes a new malware platform for cybercriminals: Database as a Service (DBaaS). The report concludes that by bringing data one step closer to hackers, DBaaS makes it possible for hackers to compromise an organization's database without accessing its network -- ultimately increasing the risk of a data breach.

PHP SuperGlobals: Supersized Trouble

In the most recent Hacker Intelligence Initiative report, Imperva analyses vulnerabilities found in the SuperGlobal parameters of the PHP platform. Imperva finds that hackers are packaging higher levels of sophistication into simpler scripts and that a multi-step attack requires a multi-layered application security solution.

Get What You Give: The Value of Shared Threat Intelligence

The Imperva Defense Center analyzed real-world traffic from sixty Web applications in order to identify attack patterns. The report demonstrates that, across a community of Web applications, early identification of attack sources and attack payloads can significantly improve the effectiveness of application security. Furthermore, it reduces the cost of decision making with respect to attack traffic across the community. Here's how, based on the traffic analyzed by the Imperva Defense Center:

Lessons Learned From the Yahoo! Hack

On December 2012, a hacker claimed to have breached Yahoo!'s security systems and acquired full access to certain Yahoo! databases, leading to full access on the server for that domain. Technically, we found that the hacker was able to determine the allegedly vulnerable Yahoo! application and the exact attack method, a SQL injection. This attack underscores the security problem posed by hosting third-party code  as is often done with cloud-based services. Our report explains:

How to protect third-party Web applications against SQL injection and other Web attacks.

Assessing the Effectiveness of Antivirus Solutions

How good is antivirus? How should enterprises invest in endpoint protection? Imperva collected and analyzed more than 80 previously non-cataloged viruses against more than 40 antivirus solutions. Imperva found:

Antivirus solutions have a difficult time detecting newly created viruses  While antivirus vendors may constantly work to update their detection mechanisms, the initial rate of detection of new viruses by antivirus solutions in the study was less than 5%. Antivirus solutions in the study were unable to provide complete protection since they are unable to keep up with virus propagation on the Internet.

Antivirus solutions lag in updating signatures In some cases in the study, it took anti-virus solutions up to four weeks following the initial scan to detect a virus.

Investment in antivirus is misaligned  In 2011, Gartner reported that consumers spent $4.5 billion on antivirus while enterprises spent $2.9 billion, a total of $7.4 billion or more than a third of the total of $17.7 billion spent on security software. In addition, certain freeware solutions in the study proved equally or more effective than paid solutions.

Monitoring Hacker Forums

The Imperva second annual hacker forum analysis detects black market for social network fraud. By examining what information hackers seek out or share in forums, security teams can better understand where hackers are focusing their efforts. One thing is unmistakable: If organizations neglect SQL injection security, we believe that hackers will place more focus on those attacks.

Denial of Service Attacks: A Comprehensive Guide to Trends, Techniques and Technologies

On hacker forums, denial of service remains the most discussed topic. Hackers continue to develop tools to optimize this attack method. Why? DDoS attacks do not seek to breach data integrity or privacy; they can be conducted without the requirement of identifying vulnerabilities to exploit the application. This report catalogs the latest trends, techniques and technologies deployed by hackers and gives security professionals specific steps to mitigate the threat.

A CAPTCHA in the Rye

How effective are CAPTCHAs as a security mechanism against malicious automation? We report and analyze four case studies and draw conclusions as to the best ways to implement CAPTCHAs as an integrated part of a security strategy. Specifically, security teams should use novel CAPTCHA methods that make the CAPTCHA into something enjoyable, like a mini-game. Also, we help identify how to present a CAPTCHA only when users exhibit suspicious behavior by implementing various automation detection mechanisms.

Dissecting a Hacktivist Attack

The fundamental tenet of Web 2.0, user-generated content, is also the Achilles Heel from a security standpoint. Why? Allowing the upload of user-generated content to the website can be extremely dangerous as the server which is usually considered by other users and the application itself as ""trusted"" now hosts content that can be generated by a malicious source.

Automation of Attacks

How do hackers automate? What do they automate? And most importantly: How can security teams block automated attacks? The latest Hacker Intelligence Initiative from the Imperva Defense Center will help you answer these questions and many more.

Remote and Local File Inclusion Vulnerabilities 101

Remote and local file inclusion (RFI/LFI) attacks are a favorite choice for hackers and many security professionals aren't noticing. RFI/LFI attacks enable hackers to execute malicious code and steal data through the manipulation of a company's web server. RFI was among the four most prevalent Web application attacks used by hackers in 2011. In fact, RFI/LFI was used most prominently by hacktivists. Most recently, a military dating website was breached using RFI/LFI by hacktivist group Lulzsec. RFI and LFI attacks take advantage of vulnerable PHP Web application parameters by including a URL reference to remotely hosted malicious code, enabling remote execution. PHP is a programming language designed for Web development and is in use across more than 77 percent of applications on the Internet.

The Anatomy of an Anonymous Attack

This Imperva Defense Center report details the never-before-seen details on an attack by hacktivist group 'Anonymous' against a high-profile unnamed target during a 25 day period in 2011. The Hacker Intelligence Summary Report - The Anatomy of an Anonymous Attack - offers a comprehensive analysis of the attack including a detailed timeline of activities from start to finish, an examination of the hacking methods utilized as well as insights on the use of social media to recruit participants and coordinate the attack.

Enterprise Password Worst Practices

In 2009, Imperva published a report on 32 million breached passwords entitled ""Consumer Password Worst Practices."" Since then, successive breaches have highlighted consumers' inability to make sufficient password choices. Enterprises can no longer rely on employees, partners or consumers when it comes to password security. Instead, responsibility rests on enterprises to put in place proper password security policies and procedures as a part of a comprehensive data security discipline. Passwords should be viewed by security teams as highly valuable data - even if PCI or other security mandates don't apply. This paper guides enterprises to rectify poor password management practices.

Security Trends 2012

Hacking is inherently innovative and constantly changing. As 2012 approaches, security teams will need to adapt to a changing threat landscape as Cybersecurity remains one of the most dynamic and fluid disciplines worldwide. The Imperva Defense Center, led by Imperva CTO Amichai Shulman, is exclusively focused on advancing the practice of Cybersecurity to help companies shield themselves from the threat of hackers and insiders. For 2012, the Imperva Defense Center has assembled a comprehensive set of predictions designed to help security professionals prepare for new threats and attacks in cyber space.

Monitoring Hacker Forums

As a part of the Imperva hacker intelligence initiative, we monitor hacker forums to understand many of the technical aspects of hacking. Forums are the cornerstone of hacking - they are used by hackers for training, communications, collaboration, recruitment, commerce and even social interaction. Forums contain tutorials to help curious neophytes mature their skills. Chat rooms are filled with technical subjects ranging from advice on attack planning and solicitations for help with specific campaigns. Commercially, forums are a marketplace for selling of stolen data and attack software. Most surprisingly, forums build a sense of community where members can engage in discussions on religion, philosophy and relationships.

An Anatomy of a SQL Injection Attack (SQLi)

This month's report from the Imperva Hacker Intelligence Initiative (HII) focuses on the rise in SQL Injection (SQLi) attacks on the Web. Dominating headlines for the past year, SQLi has become a widely-known, even outside the circle of security professionals. And for good reason: SQL injection is probably the most expensive and costly attack since it is mainly used to steal data. Famous breaches, including Sony, Nokia, Heartland Payment Systems and even Lady Gaga's Web sites were compromised by hackers who used SQL injection to break-in to the application's backend database. LulzSec, the notorious hacktivist group, made SQLi a key part of their arsenal. This report details how prevalent SQL injection attacks have become, how attacks are executed and how hackers are innovating SQLi attacks to bypass security controls as well as increase potency.

The Convergence of Google and Bots: Searching for Security Vulnerabilities using Automated Botnets

This Imperva Hacker Intelligence Initiative (HII) report reveals that hackers are leveraging the power of search engines to conduct cyber reconnaissance. Hackers, armed with a browser and specially crafted search queries (""Dorks""), are using botnets to generate more than 80,000 daily queries, identify potential attack targets and build an accurate picture of the resources within that server that are potentially exposed. Automating the query and result parsing enables the attacker to issue a large number of queries, examine all the returned results and get a filtered list of potentially exploitable sites in a very short time and with minimal effort. As searches are conducted using botnets, and not the hacker's IP address, the attacker's identity remains concealed.

Remote File Inclusion

We begin our first report by describing an attack which usually flies under the radar – Remote File Inclusion (RFI). Although these attacks have the potential to cause as much damage as the more popular SQL Injection and Cross-Site Scripting (XSS) attacks, they are not widely discussed. HII has documented examples of automated attack campaigns launched in the wild. This report pinpoints their common traits and techniques, as well as the role blacklisting can play in mitigating them.

SQL Injection Signatures Evasion

If you think SQL injection signatures are enough to protect your web applications, you will pay for it dearly. Imperva research labs delves into the details of how hackers can evade SQL signatures and get to your data.